[openssl-users] Implementing deprecation of commonname and emailaddress

Viktor Dukhovni openssl-users at dukhovni.org
Thu Aug 17 15:15:20 UTC 2017

On Thu, Aug 17, 2017 at 12:56:20AM -0400, Jeffrey Walton wrote:

> > Remove commonName and emailAddress completely from the cnf file. They no
> > longer belong in any cert, root or intermediate CA certs, server or user
> > certs.
> CommonName is supplied for viewing by tools like certificate viewers.
> It should probably be a friendly name, like "Example Web Services".

RFC 5280 suggests an empty subject DN with all the desired names
in the the subject alt name extension.

> When you see a name like "example.com" in the CN, its usually a CA
> including a domain name and not a hostname.

That's nonsense.

> > For servers include something like in the cnf file:
> >
> > subjectAltName = DNS:www.example.com, DNS:example.com, DNS=localhost,
> > EMAIL:postmaster at example.com
> Don't include an email address.

That is, don't incude unless the certificate is intended for S/MIME.

> X.509 and PKIX certificates don't really have a proper field for email
> addresses. That's why they get mashed into CommonName.

They sure do, that what's rfc822Name is for in the subject alt name
extenstion.  It supports S/MIME certificates.  There's even recent
work (soon to be an RFC) to internationalize this with SmtpUTF8Name...

> > Um, I can specify 'localhost' in this manner if I am on the server and
> > connecting in the browser with https://localhost ??
> Yes.

You can, but it is not a good idea.  Since that "localhost" will
then work on every host that trusts the issuing CA.  The only way
to make this reasonably secure is to have a per-host issuing CA
that's only trusted on *that* host, and *that* CA can then issue
the "localhost" certificate.  All the hosts can additionally
trust other shared CAs.

> > I am looking at how to build the above line using ENV variables. It is more
> > a matter of how I do it than can I do it...

The tricky bit is creating a variable number of SAN elements, I don't
know how to do that with just environment variables.  Sometimes building
a config file on the fly is the way to go.


More information about the openssl-users mailing list